Merge pull request #104 from thehale/master

Olivier Chédru · web-flow · commit 2a3733e20d44 · 2023-05-06T23:53:04.000+02:00
fix: Limit multiple license splits to SPDX `OR`
diff --git a/liccheck/command_line.py b/liccheck/command_line.py
@@ -223,16 +223,16 @@ def check_one(license_str, license_rule="AUTHORIZED", as_regex=False):
 
     at_least_one_unauthorized = False
     count_authorized = 0
-    for license in pkg["licenses"]:
-        lower = license.lower()
+    licenses = get_license_names(pkg["licenses"])
+    for license in licenses:
         if check_one(
-            lower,
+            license,
             license_rule="UNAUTHORIZED",
             as_regex=as_regex,
         ):
             at_least_one_unauthorized = True
         if check_one(
-            lower,
+            license,
             license_rule="AUTHORIZED",
             as_regex=as_regex,
         ):
@@ -247,7 +247,7 @@ def check_one(license_str, license_rule="AUTHORIZED", as_regex=False):
         )
         or (
             count_authorized
-            and count_authorized == len(pkg["licenses"])
+            and count_authorized == len(licenses)
             and level is Level.PARANOID
         )
     ):
@@ -259,6 +259,13 @@ def check_one(license_str, license_rule="AUTHORIZED", as_regex=False):
 
     return Reason.UNKNOWN
 
+def get_license_names(licenses):
+    names = []
+    for license in licenses:
+        options = license.split(" OR ")
+        for option in options:
+            names.append(option.lower())
+    return names
 
 def find_parents(package, all, seen):
     if package in seen:
diff --git a/test-requirements.txt b/test-requirements.txt
@@ -3,3 +3,4 @@ pytest-cov
 python-openid;python_version<="2.7"
 python3-openid;python_version>="3.0"
 pytest-mock>=1.10
+tox
diff --git a/tests/test_check_package.py b/tests/test_check_package.py
@@ -25,6 +25,11 @@ def packages():
             "version": "1",
             "licenses": ["authorized 1", "unauthorized 1"],
         },
+        {
+            "name": "auth_one_or_unauth_one",
+            "version": "2",
+            "licenses": ["authorized 1 OR unauthorized 1"],
+        },
         {
             "name": "unauth_one",
             "version": "2",
@@ -52,6 +57,12 @@ def packages():
         },
     ]
 
+def strategy_with_one_auth(license):
+    return Strategy(
+        authorized_licenses=[license.lower()],
+        unauthorized_licenses=[],
+        authorized_packages={},
+    )
 
 @pytest.mark.parametrize(
     ("strategy_params", "as_regex"),
@@ -77,13 +88,43 @@ def packages():
 @pytest.mark.parametrize(
     ("level", "reasons"),
     [
-        (Level.STANDARD, [OK, OK, OK, UNAUTH, OK, UNAUTH, OK, UNKNOWN]),
-        (Level.CAUTIOUS, [OK, OK, UNAUTH, UNAUTH, OK, UNAUTH, OK, UNKNOWN]),
-        (Level.PARANOID, [OK, OK, UNAUTH, UNAUTH, OK, UNAUTH, UNKNOWN, UNKNOWN]),
+        (Level.STANDARD, [OK, OK, OK, OK, UNAUTH, OK, UNAUTH, OK, UNKNOWN]),
+        (Level.CAUTIOUS, [OK, OK, UNAUTH, UNAUTH, UNAUTH, OK, UNAUTH, OK, UNKNOWN]),
+        (Level.PARANOID, [OK, OK, UNAUTH, UNAUTH, UNAUTH, OK, UNAUTH, UNKNOWN, UNKNOWN]),
     ],
     ids=[level.name for level in Level],
 )
 def test_check_package(strategy_params, packages, level, reasons, as_regex):
     strategy = Strategy(**strategy_params)
     for package, reason in zip(packages, reasons):
         assert check_package(strategy, package, level, as_regex) is reason
+
+@pytest.mark.parametrize(
+    "license", [
+        "GNU Library or Lesser General Public License (LGPL)",
+        "GNU Lesser General Public License v2 or later (LGPLv2+)"
+    ]
+)
+def test_check_package_respects_licences_with_a_lowercase_or(license):
+    strategy = strategy_with_one_auth(license)
+    package = {
+        "name": "lgpl_example",
+        "version": "2",
+        "licenses": [license],
+    }
+    assert check_package(strategy, package, Level.STANDARD, False) is OK
+
+def test_check_package_splits_licenses_with_SPDX_OR():
+    # The SPDX standard allows packages to specific dual licenses with an OR operator.
+    # See https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60
+    mit_strategy = strategy_with_one_auth("MIT")
+    apache_strategy = strategy_with_one_auth("Apache-2.0")
+    gpl_strategy = strategy_with_one_auth("GPL-2.0-or-later")
+    package = {
+        "name": "mit_example",
+        "version": "2",
+        "licenses": ["MIT OR Apache-2.0"],
+    }
+    assert check_package(mit_strategy, package, Level.STANDARD, False) is OK
+    assert check_package(apache_strategy, package, Level.STANDARD, False) is OK
+    assert check_package(gpl_strategy, package, Level.STANDARD, False) is UNKNOWN
